New Data Protection Regulations - are you on track to be compliant?
GDPR is the new EU data protection legislation which will replace the current Data Protection Directive, and the Data Protection Act 1998 ('DPA') in the UK.
The UK Government has confirmed that 'Brexit' will not affect the implementation of the GDPR in the UK. We look at what you should be doing now to ensure you remain compliant.
Why does GDPR matter?
1. Significantly increased fines
GDPR significantly increases organisations' risk exposure by imposing far tougher financial sanctions for breach of the Regulation. The most serious breaches of the GDPR could result in fines of up to £20million or 4% of the organisation's total worldwide annual turnover in the preceding financial year (whichever is greater).
2. Data breach notification
Notification requirements are being significantly tightened. Most firms have some form of data breach in a 12 month period - and some of these breaches may be serious.
Data Controllers are required to notify the appropriate supervisory authority (in the UK this will be the Information Commissioner's Office) of data breaches without undue delay and within 72 hours (if feasible) of learning about the breach, unless the breach is unlikely to result in risk to the rights and freedoms of individuals.
3. Greater rights for data subjects
The new and enhanced rights afforded to individuals under the GDPR include the 'right to erasure' or 'to be forgotten', the right 'to restrict processing', the right 'to data portability', the right 'to object and automated individual decision-making' and enhanced data subject access requests rights. The broader rights available to a data subject means organisations are likely to receive a wider range of data subject access requests. Law firms will have to consider how this sits with their need to retain files for a period.
Preparing for GDPR compliance
You will need to be aware of exactly what personal data you hold, what it is used for, where it came from, who it is shared with, and how it is stored.
Policies and procedures will also need to be reviewed and updated.